[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16032144#comment-16032144
]
Yongjun Zhang edited comment on HADOOP-14445 at 5/31/17 10:43 PM:
------------------------------------------------------------------
HI [~shahrs87],
The current format of key provider URI is:
{code}
/**
* This provider expects URIs in the following form :
* kms://<PROTO>@<AUTHORITY>/<PATH>
*
* where :
* - PROTO = http or https
* - AUTHORITY = <HOSTS>[:<PORT>]
* - HOSTS = <HOSTNAME>[;<HOSTS>]
* - HOSTNAME = string
* - PORT = integer
*
* If multiple hosts are provider, the Factory will create a
* {@link LoadBalancingKMSClientProvider} that round-robins requests
* across the provided list of hosts.
*/
{code}
Each host corresponds to one KMS, I thought we just need split the hosts part,
and make each one its own URI with the corresponding host, and use that for
tokenService key for each KMS.
So when we collect a delegation token from one KMS, we associate the token with
each KMS and the corresponding URI. It's more robust to me because the info
about each KMS is only about itself, no host concatenation in the key of <key,
DT> map.
About
{quote}
currently RM (kms token renewer) is still dependent on local conf to find the
key provider since the current token service format is ip:port. It doesn't know
anything about the protocol (http or https).
{quote}
With either the current patch of the Arun's #2 solution, we can address this
problem, so this seems an orthogonal issue, no?
Hi [~asuresh], thanks for your earlier proposal, would you please comment here?
Thanks.
was (Author: yzhangal):
HI [~shahrs87],
The current format of kmy provider URI is:
{code}
/**
* This provider expects URIs in the following form :
* kms://<PROTO>@<AUTHORITY>/<PATH>
*
* where :
* - PROTO = http or https
* - AUTHORITY = <HOSTS>[:<PORT>]
* - HOSTS = <HOSTNAME>[;<HOSTS>]
* - HOSTNAME = string
* - PORT = integer
*
* If multiple hosts are provider, the Factory will create a
* {@link LoadBalancingKMSClientProvider} that round-robins requests
* across the provided list of hosts.
*/
{code}
Each host corresponds to one KMS, I thought we just need split the hosts part,
and make each one its own URI with the corresponding host, and use that for
tokenService key for each KMS.
So when we collect a delegation token from one KMS, we associate the token with
each KMS and the corresponding URI. It's more robust to me because the info
about each KMS is only about itself, no host concatenation in the key of <key,
DT> map.
About
{quote}
currently RM (kms token renewer) is still dependent on local conf to find the
key provider since the current token service format is ip:port. It doesn't know
anything about the protocol (http or https).
{quote}
With either the current patch of the Arun's #2 solution, we can address this
problem, so this seems an orthogonal issue, no?
Hi [~asuresh], thanks for your earlier proposal, would you please comment here?
Thanks.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: documentation, kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Wei-Chiu Chuang
> Assignee: Rushabh S Shah
> Attachments: HADOOP-14445-branch-2.8.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
